24 August 2016

Ashley Madison Data Breach

The Privacy Commissioner of Canada and the Australian Privacy Commissioner have released a report on their joint investigation into the 2015 Ashley Madison data breach.

The report states

On 15 July 2015, a person or group identifying itself as ‘The Impact Team’ announced that it had hacked ALM. The Impact Team threatened to expose the personal information of Ashley Madison users unless ALM shut down Ashley Madison and another of its websites, Established Men. ALM did not agree to this demand. On 20 July 2015, following media reports and after an invitation from the Office of the Privacy Commissioner of Canada (OPC), ALM voluntarily reported details of the breach to the OPC. Subsequently, on 18 and 20 August 2015, The Impact Team published information it claimed to have stolen from ALM, including the details of approximately 36 million Ashley Madison user accounts. The compromise of ALM’s security by The Impact Team, together with the subsequent publication of compromised information online, is referred to in this report as ‘the data breach’.

Given the scale of the data breach, the sensitivity of the information involved, the impact on affected individuals, and the international nature of ALM’s business, the Office of the Australian Information Commissioner (OAIC) and the OPC jointly investigated ALM’s privacy practices at the time of the data breach. The joint investigation was conducted in accordance with the Australian Privacy Act 1988 (Australian Privacy Act) and the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA). The collaboration was made possible by the OAIC and OPC’s participation in the Asia-Pacific Economic Cooperation (APEC) Cross-border Privacy Enforcement Arrangement and pursuant to ss 11(2) and 23.1 of PIPEDA and s 40(2) of the Australian Privacy Act.

The investigation initially examined the circumstances of the data breach and how it had occurred. It then considered ALM's information handling practices that may have affected the likelihood or the impact of the data breach. For clarity, this report makes no conclusions with respect to the cause of the data breach itself. The investigation assessed those practices against ALM's obligations under PIPEDA and the Australian Privacy Principles (APPs) in the Australian Privacy Act.

The primary issue under consideration was the adequacy of the safeguards ALM had in place to protect the personal information of its users. Although ALM's security was compromised by The Impact Team, a security compromise does not necessarily point to a contravention of PIPEDA or the Australian Privacy Act. Whether a contravention occurred depends on whether ALM had, at the time of the data breach:
for PIPEDA: implemented safeguards appropriate to the sensitivity of the information it held; and
for the Australian Privacy Act: taken such steps as were reasonable in the circumstances to protect the personal information it held.

The investigation also considered the following related information handling practices of ALM:
ALM’s practice of retaining personal information of users after profiles had been deactivated or deleted by users, and when profiles were inactive (that is, had not been accessed by the user for an extended period of time);
ALM’s practice of charging users to “fully delete” their profiles;
ALM’s practice of not confirming the accuracy of user email addresses before collecting or using them; and
ALM’s transparency with users about its personal information handling practices.

The investigation identified a number of contraventions of the APPs and PIPEDA.

Although ALM had a range of personal information security protections in place, it did not have an adequate overarching information security framework within which it assessed the adequacy of its information security. Certain security safeguards in some areas were insufficient or absent at the time of the data breach.

The findings of this report include important lessons for other organizations that hold personal information. The most broadly applicable lesson is that it is crucial for organizations that hold personal information electronically to adopt clear and appropriate processes, procedures and systems to handle information security risks, supported by adequate expertise (internal or external). This is especially the case where the personal information held includes information of a sensitive nature that, if compromised, could cause significant reputational or other harms to the individuals affected. Organizations holding sensitive personal information or a significant amount of personal information, as was the case here, should have information security measures including, but not limited to:
a security policy(cies);
an explicit risk management process that addresses information security matters, drawing on adequate expertise; and
adequate privacy and security training for all staff.

It is not sufficient for an organization such as ALM, or any organization that holds large amounts of personal information of a sensitive nature, to address information security without an adequate and coherent governance framework.

The OAIC and OPC provided a number of recommendations for ALM to follow to ensure it addressed the issues discussed in this report and brings itself into compliance with PIPEDA and the Australian Privacy Act with respect to those issues.

The Privacy Commissioner of Canada has accepted a compliance agreement, and the Acting Australian Information Commissioner has accepted an enforceable undertaking, from ALM. In accordance with these agreements ALM will be required to take significant additional steps to address the issues identified in this report to protect the privacy of individuals, some of which have already been initiated by ALM.

Copyright & Liability

Statements in this blog are my own, rather than that of the University of Canberra.

The text and images are protected under Australian and international copyright and trade mark law. The blog does not represent legal advice. It is for informational purposes only; publication does not create an attorney-client relationship and nothing on this blog constitutes a solicitation for business.

The author pleads guilty to charges of irreverence, irony, indignation and honestly-held opinion.